Just because this thread is quiet doesn't mean we have no competing rootkits. But people seem to prefer submitting the last minute (they've emailed me). Let's hope we get some nice submissions April 20.
BTW: The full conference program including abstracts is published. Check it out: http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_Stockholm,_Sweden
The winner of this compo g
Forum: OMG Ponies

<drumroll> The 10th OWASP AppSec Research 2010 Challenge is here! Only three chances left to win tickets. </drumroll>
It's time to write an Enterprise Java rootkit. Your assignment is to be the evil developer who implements and hides a backdoor in a Java servlet. We've implemented a very simple login web application and exported it as an Eclipse project that you can download. It's a
Forum: OMG Ponies

Hi all!
Long time no message. But the judges of the OWASP AppSec Research 2010 OC have decided to give first price to Thornmaker.
This really was a nice compo. And I will use the polyglot to demo stuff. With due credit of course.
Congratulations to winning a free ticket, Thornmaker. See you at the conference this summer!
http://www.owasp.org/index.php?title=OWASP_AppSec_Research_2010_-_S
Forum: OMG Ponies

And we have a winner! sundancekid gets the hundered with the last password "winna".
Congratulations and a warm welcome to the conference in Stockholm, June 21-24. We'll get in contact with you regarding registration.
Sundancekid 108 points
Thornmaker 99 points
Ethicalhack3r 1 point
Thanks everyone for the hard work and exciting end!
Forum: OMG Ponies

@sirdarckcat
If I replace the strToHash on line 70 with the correct password the boolean expression in the conditional on line 71 becomes true.
My workspace is set to UTF-8 if that helps.
Forum: OMG Ponies

@Reiners
hasher.convertToUpperCaseHex(hasher.gost3411.digest("jZbTapryL".getBytes())) = E375ED0770C66195B6566987B41EF4B071F4EB5316B67D9638D4934CD3436DE8 != 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971
... according to the Java code supplied. So as far as I can see the compo is still open.
Forum: OMG Ponies

Phew, that's fast! But I can only confirm the cracked hashes. So we have pwd8 left to break -- GOST3411(pwd8 + "pryL").
Current standing:
Thornmaker 99 points
Sundancekid 8 points
Ethicalhack3r 1 point
... and the final hash (GOST3411) gives 100 points so it's still an open game!
Forum: OMG Ponies

Yes, LM(pwd1) = OWASP, so ehticalhack3r earns 1 point.
As stated above -- the first one to publish a certain password *here* on sla.ckers earns the points. The email to me (John) is just to track progress and correct any misunderstandings.
Good luck with MD2!
Forum: OMG Ponies

February's AppSec Research 2010 challenge is about breaking hashed passwords. It starts off easy with the old LM hash and ends with SHA256 and GOST3411.
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges
*** How To Win (with a twist) ***
The first one to publish each broken password gets points according to the table below but at the same time helps
Forum: OMG Ponies

@sirdarckcat
More or less. But we didn't want to focus the rules to hard on file size since that would just make it into a gif compression challenge.
So, we give you a list of increasingly complex payloads to squeeze into the gif without it _growing_ in size. If your gif is smaller than everyone else's, or if you manage to fit in even more JavaScript features in it -- well, I'm impressed!
I
Forum: OMG Ponies

We can take away the link but now you guys have seen it :).
We just thought it would seem too hard if we didn't provide som guidance.
Another cool thing with this challenge is that this polyglot will be a really cool showcase for talks on input validation and XSS. Your users are allowed to upload gif images but not JavaScript. Then someone uploads a polyglot ...
Forum: OMG Ponies

This is the official thread for OWASP AppSec Research Challenge 8 where you're supposed to consturuct an OWASP polyglot -- a gif image that can also be run as JavaScript!
Show image: <img src="owasp_logo.gif">
Run script: <script src="owasp_logo.gif"></script>
Rules and howtos here: http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_
Forum: OMG Ponies

OK, the October challenge is closed and we have at least two really cool effects. Be sure to join the conference mailinglist (https://lists.owasp.org/mailman/listinfo/appsec_eu_2010) if you want to know how this challenge ends _and_ hear about the coming challenges.
/John
Forum: OMG Ponies

@sirdarckcat
Some nice refinements there. Yeah, the star effect looks better than the circle. Works nicely in my FF.
A rumor has it that TommyM is working on something really cool. He's been asking about games and someone said "sound" :P.
Forum: OMG Ponies

@sirdarckcat
Version 3 is looking good.
It's fine if it only works in FF 3.5 (that's what we stated in the rules). But I use Safari as my default browser so I just noticed the fireworks didn't work there.
Forum: OMG Ponies

FireworksIsNotABrowser_v2.js was cool. Did you copy-paste that one too? :P
I guess not since you worked it out with the view over Stockholm Old Town.
Works fine in my FF but not in Safari. Wonder why?
Forum: OMG Ponies

AFlyFlyingOverSweedenWithLettersOrbitingAroundItOhDidIEverToldUGuysThatILikeLongNamesYeahhhhhhhhh_v1.js is really nice (although currently to many chars)!
A pity the letters are anti-aliased for white background. Maybe we should fix that ...
Forum: OMG Ponies

Works fine with the link but not when I paste it in the URL bar for the AppSec Research 2010 wiki page. I haven't spent time investigating why though. Safari 4.0.3 on a Mac.
Anyway -- a nice effect! And you have another 1000 chars to spend :).
Forum: OMG Ponies

Some 8-bit music along with that and I'll feel like a young teenager again :).
Yeah, games are OK. But they'll be judged on gfx, originality, and coolness since we need to compare them with the gfx effects.
Forum: OMG Ponies